SlideShare ist ein Scribd-Unternehmen logo

Huiming Liu-'resident evil' of smart phones--wombie attack

G
GeekPwn Keen

In this presentation, Huiming Liu, the researcher of Tencent Security Xuanwu Lab, will present an astonishing mobile wireless zombie(Wombie) attack demo — the smartphone viruses spread like zombies in “Resident Evil”, and the technique details will also be explained. The Wombie doesn’t rely on Internet to spread, so it can’t be detected on the internet. Besides, it can serve as an attack amplifier for many other attack methods. For example, the recent KRACK attack about WPA2 will benefit a lot if combined with the Wombie Attack.

Geräte & Hardware
1 von 22
Downloaden Sie, um offline zu lesen
"Resident Evil" of SmartPhones--Wombie Attack Huiming Liu Tencent Xuanwu Lab
Contents 1.Overview 2.Demo Time 3.Technique details 4.Conclusion
ATTACKER Phone A Phone B
ATTACKER Phone A Phone B
ATTACKER Phone A Phone B
Demo Time
Technique Details 1.Firmware Patch 2.Wireless Zombie Implementation 3.Conclusion
Patch Firware? Why? • In a word, Launch Karma attack on a smartphone • Karma Attack • If you have ever connected to a WiFi, Your devices will frequently send probe request to find it. • Many devices will automatically connect if get correct responses, which is very easy to forge when the devices send directed probes. • Then, the devices may become MITM victims • How about on Latest smartphones?
Karma Attack! But on Android? • Latest Android Versions won’t send directed probe normally • However • All of them will send BROADCAST probe…we can use SSID dictionary to launch Karma Attack. • Add a network manually will STILL send directed probe • Some ROMs will send directed probe MISTAKENLY • How about being an attacker • WiFi chip on the SmartPhones can be both in STA and AP mode • SmartPhones are essentially mobile and of massive amount • If we can make the victim attack and infect another victim. The situation will be much worse
Patch Firware to Make phone infectious – How? • Reverse Engineering the firmware • Patch Probe Request Handler • Patch Association Request Handler
Patch Probe Request in the UCODE? NOT GOOD!
Instead, Forward Probe Request to Firmware Layer and Response! • Patch 1 line in UCODE to forward to firmware • hook sub_19610E • Call wlc_bcn_prb_template to generate template • Modify dst mac and ssid
Patch Association Request Handler (Nexus 5) -- How?
Patch Association Request Handler (Nexus 6p) -- How? • All required Information Elements’ parse function pointers are stored in an array dynamically created in Firmware(RAM) • Information Element SSID’s parse function is implemented in ROM (Hard to Modify) • So, we choose to modify the firmware instead of the ROM • hook a function(sub_1B03AC) in Firmware • Implement a SSID’s parse function • Replace its original parse function pointer with our new function pointer • Nexmon • C-based Firmware Patching Framework for Broadcom/Cypress WiFi Chips that enables Monitor Mode, Frame Injection and much more
Results Nexus 5 BCM4339 6.37.34.43 Nexus 6P BCM4358 7.112.200.17
Wombie Attack Process • Step1: Launch Karma attack to MITM other phones. • Step2: Get RCE by exploiting the vulnerabilities in the victims’ smartphones • Step3: Get Root Access and modify the firmware and set attack environment. • Step4: The victim infects another victim
What’s Inside Wireless Zombie? • 1. Background AP • 2. MITM module • 3. Exploit and Environment Setup module Background AP Traffic Hijack Module Exploit Payloads
• Google’s Latest data (OCT 2017): • Android version <=5.x 50% • Latest Android Release Version 0.2% • Version <= 4.x 22.3% How to get RCE/ROOT? Android Fragmentation!
Impact • Invisible Attack: • Doesn't rely on Internet to spread, so we can't detect it on the internet • Magnifier: • Easier to exploit & more severe consequences
Combined with Krack(ATTACK WPA2)? • Krack attack’s preconditions can be satisfied within our attack model. • Preconditions • Clone original wifi to a different channel • Monitor, block and send specific message • The way we can make it in our model • Nexmon to Intercept Packets. (OK) • Like running tcpdump in monitor mode and airbase-ng in the same time. (OK) • But the Exploit Scripts are not released now • Krack attack to WPA2 can be combined with our karma attack to launch and spread more easily
Conclusion • 1. Karma attack to smartphone is very dangerous due to android fragmentation and the smartphone’s mobility. • 2. To defend against this attack model, we must working with system security, wireless security, hardware security • 3. There’s no absolute security. Apart from the vendor’s effort, the users also need to pay more attention.
Acknowledgement Daxing Guo Bin Ma TombKeeper

Empfohlen

Zhiyun Qian-what leaves attacker hijacking USA Today site
Zhiyun Qian-what leaves attacker hijacking USA Today siteZhiyun Qian-what leaves attacker hijacking USA Today site
Zhiyun Qian-what leaves attacker hijacking USA Today siteGeekPwn Keen
 
Nick Stephens-how does someone unlock your phone with nose
Nick Stephens-how does someone unlock your phone with noseNick Stephens-how does someone unlock your phone with nose
Nick Stephens-how does someone unlock your phone with noseGeekPwn Keen
 
Attacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network SelectionAttacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network Selectionamiable_indian
 
Types Of Attack.
Types Of Attack.Types Of Attack.
Types Of Attack.Greater Noida Institute Of Technology
 
Mitm(man in the middle) ssl proxy attacks
Mitm(man in the middle) ssl proxy attacksMitm(man in the middle) ssl proxy attacks
Mitm(man in the middle) ssl proxy attacksJaeYeoul Ahn
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomDefcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomPriyanka Aash
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Priyanka Aash
 
Network scanning
Network scanningNetwork scanning
Network scanningoceanofwebs
 

Empfohlen

Zhiyun Qian-what leaves attacker hijacking USA Today site
Zhiyun Qian-what leaves attacker hijacking USA Today siteZhiyun Qian-what leaves attacker hijacking USA Today site
Zhiyun Qian-what leaves attacker hijacking USA Today siteGeekPwn Keen
 
Nick Stephens-how does someone unlock your phone with nose
Nick Stephens-how does someone unlock your phone with noseNick Stephens-how does someone unlock your phone with nose
Nick Stephens-how does someone unlock your phone with noseGeekPwn Keen
 
Attacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network SelectionAttacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network Selectionamiable_indian
 
Types Of Attack.
Types Of Attack.Types Of Attack.
Types Of Attack.Greater Noida Institute Of Technology
 
Mitm(man in the middle) ssl proxy attacks
Mitm(man in the middle) ssl proxy attacksMitm(man in the middle) ssl proxy attacks
Mitm(man in the middle) ssl proxy attacksJaeYeoul Ahn
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomDefcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomPriyanka Aash
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Priyanka Aash
 
Network scanning
Network scanningNetwork scanning
Network scanningoceanofwebs
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22SensePost
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCanSecWest
 
Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanOWASP Delhi
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014Leonardo Nve Egea
 
BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat v18 || Linear time shellcode detection using state machines and opera...BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat v18 || Linear time shellcode detection using state machines and opera...BlueHat Security Conference
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N NessusUtkarsh Verma
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Nessus v6 command_line_reference
Nessus v6 command_line_referenceNessus v6 command_line_reference
Nessus v6 command_line_referenceCraig Cannon
 
Cafe Latte
Cafe LatteCafe Latte
Cafe LatteAirTight Networks
 
BSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
BSides Algiers - Layer7 DoS Attacks - Oussama ElhamerBSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
BSides Algiers - Layer7 DoS Attacks - Oussama ElhamerShellmates
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat Security Conference
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
Caffe Latte Attack
Caffe Latte AttackCaffe Latte Attack
Caffe Latte AttackAirTight Networks
 
How to Hack WiFi on Windows
How to Hack WiFi on Windows How to Hack WiFi on Windows
How to Hack WiFi on Windows Vrushank Narola
 
Automated Deployment Using Jenkins Across Clusters
Automated Deployment Using Jenkins Across ClustersAutomated Deployment Using Jenkins Across Clusters
Automated Deployment Using Jenkins Across ClustersNaveen S.R
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
CODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONG
CODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONGCODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONG
CODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONGCODE BLUE
 
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...EC-Council
 
Android system security
Android system securityAndroid system security
Android system securityChong-Kuan Chen
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014Chong-Kuan Chen
 

Weitere ähnliche Inhalte

Was ist angesagt?

Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22SensePost
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCanSecWest
 
Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanOWASP Delhi
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014Leonardo Nve Egea
 
BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat v18 || Linear time shellcode detection using state machines and opera...BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat v18 || Linear time shellcode detection using state machines and opera...BlueHat Security Conference
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N NessusUtkarsh Verma
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Nessus v6 command_line_reference
Nessus v6 command_line_referenceNessus v6 command_line_reference
Nessus v6 command_line_referenceCraig Cannon
 
BSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
BSides Algiers - Layer7 DoS Attacks - Oussama ElhamerBSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
BSides Algiers - Layer7 DoS Attacks - Oussama ElhamerShellmates
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat Security Conference
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
How to Hack WiFi on Windows
How to Hack WiFi on Windows How to Hack WiFi on Windows
How to Hack WiFi on Windows Vrushank Narola
 
Automated Deployment Using Jenkins Across Clusters
Automated Deployment Using Jenkins Across ClustersAutomated Deployment Using Jenkins Across Clusters
Automated Deployment Using Jenkins Across ClustersNaveen S.R
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
CODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONG
CODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONGCODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONG
CODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONGCODE BLUE
 
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...EC-Council
 

Was ist angesagt? (20)

Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnology
 
Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on Honeypots
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit Ranjan
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
 
BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat v18 || Linear time shellcode detection using state machines and opera...BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat v18 || Linear time shellcode detection using state machines and opera...
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N Nessus
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 
Nessus v6 command_line_reference
Nessus v6 command_line_referenceNessus v6 command_line_reference
Nessus v6 command_line_reference
 
Cafe Latte
Cafe LatteCafe Latte
Cafe Latte
 
BSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
BSides Algiers - Layer7 DoS Attacks - Oussama ElhamerBSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
BSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
 
Caffe Latte Attack
Caffe Latte AttackCaffe Latte Attack
Caffe Latte Attack
 
How to Hack WiFi on Windows
How to Hack WiFi on Windows How to Hack WiFi on Windows
How to Hack WiFi on Windows
 
Automated Deployment Using Jenkins Across Clusters
Automated Deployment Using Jenkins Across ClustersAutomated Deployment Using Jenkins Across Clusters
Automated Deployment Using Jenkins Across Clusters
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
CODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONG
CODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONGCODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONG
CODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONG
 
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
 

Ähnlich wie Huiming Liu-'resident evil' of smart phones--wombie attack

SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar Santhosh Kumar
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network SecurityUC San Diego
 
Hacking By Nirmal
Hacking By NirmalHacking By Nirmal
Hacking By NirmalNIRMAL RAJ
 
Penetration Testing Project Game of Thrones CTF: 1
Penetration Testing Project Game of Thrones CTF: 1Penetration Testing Project Game of Thrones CTF: 1
Penetration Testing Project Game of Thrones CTF: 1Florin D. Tanasache
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hackingPranshu Pareek
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligencePriyanka Aash
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxRahul Mohandas
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud EnvironmentShapeBlue
 
Docker Swarm secrets for creating great FIWARE platforms
Docker Swarm secrets for creating great FIWARE platformsDocker Swarm secrets for creating great FIWARE platforms
Docker Swarm secrets for creating great FIWARE platformsFederico Michele Facca
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applicationseightbit
 
Master-Master Replication and Scaling of an Application Between Each of the I...
Master-Master Replication and Scaling of an Application Between Each of the I...Master-Master Replication and Scaling of an Application Between Each of the I...
Master-Master Replication and Scaling of an Application Between Each of the I...vsoshnikov
 
Introduction To SPOT
Introduction To SPOTIntroduction To SPOT
Introduction To SPOTpauldeng
 
How i'm going to own your organization v2
How i'm going to own your organization v2How i'm going to own your organization v2
How i'm going to own your organization v2RazorEQX
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicJulia Yu-Chin Cheng
 

Ähnlich wie Huiming Liu-'resident evil' of smart phones--wombie attack (20)

Android system security
Android system securityAndroid system security
Android system security
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network Security
 
Hacking By Nirmal
Hacking By NirmalHacking By Nirmal
Hacking By Nirmal
 
Penetration Testing Project Game of Thrones CTF: 1
Penetration Testing Project Game of Thrones CTF: 1Penetration Testing Project Game of Thrones CTF: 1
Penetration Testing Project Game of Thrones CTF: 1
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
 
Ntxissacsc5 red 1 &amp; 2 basic hacking tools ncc group
Ntxissacsc5 red 1 &amp; 2 basic hacking tools ncc groupNtxissacsc5 red 1 &amp; 2 basic hacking tools ncc group
Ntxissacsc5 red 1 &amp; 2 basic hacking tools ncc group
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud Environment
 
Docker Swarm secrets for creating great FIWARE platforms
Docker Swarm secrets for creating great FIWARE platformsDocker Swarm secrets for creating great FIWARE platforms
Docker Swarm secrets for creating great FIWARE platforms
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applications
 
Master-Master Replication and Scaling of an Application Between Each of the I...
Master-Master Replication and Scaling of an Application Between Each of the I...Master-Master Replication and Scaling of an Application Between Each of the I...
Master-Master Replication and Scaling of an Application Between Each of the I...
 
Introduction To SPOT
Introduction To SPOTIntroduction To SPOT
Introduction To SPOT
 
How i'm going to own your organization v2
How i'm going to own your organization v2How i'm going to own your organization v2
How i'm going to own your organization v2
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for public
 

Mehr von GeekPwn Keen

PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...
PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...
PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...GeekPwn Keen
 
THE VANISHING TRICK FOR SELF-DRIVING CARS - Weilin Xu - DEF CON 26 CAAD VILLAGE
THE VANISHING TRICK FOR SELF-DRIVING CARS - Weilin Xu - DEF CON 26 CAAD VILLAGETHE VANISHING TRICK FOR SELF-DRIVING CARS - Weilin Xu - DEF CON 26 CAAD VILLAGE
THE VANISHING TRICK FOR SELF-DRIVING CARS - Weilin Xu - DEF CON 26 CAAD VILLAGEGeekPwn Keen
 
TARGETED ADVERSARIAL EXAMPLES FOR BLACK BOX AUDIO SYSTEMS - Rohan Taori, Amog...
TARGETED ADVERSARIAL EXAMPLES FOR BLACK BOX AUDIO SYSTEMS - Rohan Taori, Amog...TARGETED ADVERSARIAL EXAMPLES FOR BLACK BOX AUDIO SYSTEMS - Rohan Taori, Amog...
TARGETED ADVERSARIAL EXAMPLES FOR BLACK BOX AUDIO SYSTEMS - Rohan Taori, Amog...GeekPwn Keen
 
TRANSFERABLE ADVERSARIAL PERTURBATIONS - Tencent Blade Team - DEF CON 26 CAA...
TRANSFERABLE ADVERSARIAL PERTURBATIONS - Tencent Blade Team - DEF CON 26 CAA...TRANSFERABLE ADVERSARIAL PERTURBATIONS - Tencent Blade Team - DEF CON 26 CAA...
TRANSFERABLE ADVERSARIAL PERTURBATIONS - Tencent Blade Team - DEF CON 26 CAA...GeekPwn Keen
 
ADVERSARIAL^2 TRAINING - Yao Zhao, Yuzhe Zhao - DEF CON 26 CAAD VILLAGE
ADVERSARIAL^2 TRAINING - Yao Zhao, Yuzhe Zhao - DEF CON 26 CAAD VILLAGEADVERSARIAL^2 TRAINING - Yao Zhao, Yuzhe Zhao - DEF CON 26 CAAD VILLAGE
ADVERSARIAL^2 TRAINING - Yao Zhao, Yuzhe Zhao - DEF CON 26 CAAD VILLAGEGeekPwn Keen
 
HOW TO LEVERAGE THE OPEN-SOURCE INFORMATION TO MAKE AN EFFECTIVE ADVERSARIAL ...
HOW TO LEVERAGE THE OPEN-SOURCE INFORMATION TO MAKE AN EFFECTIVE ADVERSARIAL ...HOW TO LEVERAGE THE OPEN-SOURCE INFORMATION TO MAKE AN EFFECTIVE ADVERSARIAL ...
HOW TO LEVERAGE THE OPEN-SOURCE INFORMATION TO MAKE AN EFFECTIVE ADVERSARIAL ...GeekPwn Keen
 
BOOSTING ADVERSARIAL ATTACKS WITH MOMENTUM - Tianyu Pang and Chao Du, THU - D...
BOOSTING ADVERSARIAL ATTACKS WITH MOMENTUM - Tianyu Pang and Chao Du, THU - D...BOOSTING ADVERSARIAL ATTACKS WITH MOMENTUM - Tianyu Pang and Chao Du, THU - D...
BOOSTING ADVERSARIAL ATTACKS WITH MOMENTUM - Tianyu Pang and Chao Du, THU - D...GeekPwn Keen
 
RECENT PROGRESS IN ADVERSARIAL DEEP LEARNING ATTACK AND DEFENSE - Wenbo Guo a...
RECENT PROGRESS IN ADVERSARIAL DEEP LEARNING ATTACK AND DEFENSE - Wenbo Guo a...RECENT PROGRESS IN ADVERSARIAL DEEP LEARNING ATTACK AND DEFENSE - Wenbo Guo a...
RECENT PROGRESS IN ADVERSARIAL DEEP LEARNING ATTACK AND DEFENSE - Wenbo Guo a...GeekPwn Keen
 
WEAPONS FOR DOG FIGHT:ADAPTING MALWARE TO ANTI-DETECTION BASED ON GAN - Zhuan...
WEAPONS FOR DOG FIGHT:ADAPTING MALWARE TO ANTI-DETECTION BASED ON GAN - Zhuan...WEAPONS FOR DOG FIGHT:ADAPTING MALWARE TO ANTI-DETECTION BASED ON GAN - Zhuan...
WEAPONS FOR DOG FIGHT:ADAPTING MALWARE TO ANTI-DETECTION BASED ON GAN - Zhuan...GeekPwn Keen
 
Hardware Trojan Attacks on Neural Networks - Joseph Clements - DEF CON 26 CAA...
Hardware Trojan Attacks on Neural Networks - Joseph Clements - DEF CON 26 CAA...Hardware Trojan Attacks on Neural Networks - Joseph Clements - DEF CON 26 CAA...
Hardware Trojan Attacks on Neural Networks - Joseph Clements - DEF CON 26 CAA...GeekPwn Keen
 
Bo Li-they’ve created images that reliably fool neural network
Bo Li-they’ve created images that reliably fool neural networkBo Li-they’ve created images that reliably fool neural network
Bo Li-they’ve created images that reliably fool neural networkGeekPwn Keen
 
Alexey kurakin-what's new in adversarial machine learning
Alexey kurakin-what's new in adversarial machine learningAlexey kurakin-what's new in adversarial machine learning
Alexey kurakin-what's new in adversarial machine learningGeekPwn Keen
 

Mehr von GeekPwn Keen (12)

PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...
PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...
PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...
 
THE VANISHING TRICK FOR SELF-DRIVING CARS - Weilin Xu - DEF CON 26 CAAD VILLAGE
THE VANISHING TRICK FOR SELF-DRIVING CARS - Weilin Xu - DEF CON 26 CAAD VILLAGETHE VANISHING TRICK FOR SELF-DRIVING CARS - Weilin Xu - DEF CON 26 CAAD VILLAGE
THE VANISHING TRICK FOR SELF-DRIVING CARS - Weilin Xu - DEF CON 26 CAAD VILLAGE
 
TARGETED ADVERSARIAL EXAMPLES FOR BLACK BOX AUDIO SYSTEMS - Rohan Taori, Amog...
TARGETED ADVERSARIAL EXAMPLES FOR BLACK BOX AUDIO SYSTEMS - Rohan Taori, Amog...TARGETED ADVERSARIAL EXAMPLES FOR BLACK BOX AUDIO SYSTEMS - Rohan Taori, Amog...
TARGETED ADVERSARIAL EXAMPLES FOR BLACK BOX AUDIO SYSTEMS - Rohan Taori, Amog...
 
TRANSFERABLE ADVERSARIAL PERTURBATIONS - Tencent Blade Team - DEF CON 26 CAA...
TRANSFERABLE ADVERSARIAL PERTURBATIONS - Tencent Blade Team - DEF CON 26 CAA...TRANSFERABLE ADVERSARIAL PERTURBATIONS - Tencent Blade Team - DEF CON 26 CAA...
TRANSFERABLE ADVERSARIAL PERTURBATIONS - Tencent Blade Team - DEF CON 26 CAA...
 
ADVERSARIAL^2 TRAINING - Yao Zhao, Yuzhe Zhao - DEF CON 26 CAAD VILLAGE
ADVERSARIAL^2 TRAINING - Yao Zhao, Yuzhe Zhao - DEF CON 26 CAAD VILLAGEADVERSARIAL^2 TRAINING - Yao Zhao, Yuzhe Zhao - DEF CON 26 CAAD VILLAGE
ADVERSARIAL^2 TRAINING - Yao Zhao, Yuzhe Zhao - DEF CON 26 CAAD VILLAGE
 
HOW TO LEVERAGE THE OPEN-SOURCE INFORMATION TO MAKE AN EFFECTIVE ADVERSARIAL ...
HOW TO LEVERAGE THE OPEN-SOURCE INFORMATION TO MAKE AN EFFECTIVE ADVERSARIAL ...HOW TO LEVERAGE THE OPEN-SOURCE INFORMATION TO MAKE AN EFFECTIVE ADVERSARIAL ...
HOW TO LEVERAGE THE OPEN-SOURCE INFORMATION TO MAKE AN EFFECTIVE ADVERSARIAL ...
 
BOOSTING ADVERSARIAL ATTACKS WITH MOMENTUM - Tianyu Pang and Chao Du, THU - D...
BOOSTING ADVERSARIAL ATTACKS WITH MOMENTUM - Tianyu Pang and Chao Du, THU - D...BOOSTING ADVERSARIAL ATTACKS WITH MOMENTUM - Tianyu Pang and Chao Du, THU - D...
BOOSTING ADVERSARIAL ATTACKS WITH MOMENTUM - Tianyu Pang and Chao Du, THU - D...
 
RECENT PROGRESS IN ADVERSARIAL DEEP LEARNING ATTACK AND DEFENSE - Wenbo Guo a...
RECENT PROGRESS IN ADVERSARIAL DEEP LEARNING ATTACK AND DEFENSE - Wenbo Guo a...RECENT PROGRESS IN ADVERSARIAL DEEP LEARNING ATTACK AND DEFENSE - Wenbo Guo a...
RECENT PROGRESS IN ADVERSARIAL DEEP LEARNING ATTACK AND DEFENSE - Wenbo Guo a...
 
WEAPONS FOR DOG FIGHT:ADAPTING MALWARE TO ANTI-DETECTION BASED ON GAN - Zhuan...
WEAPONS FOR DOG FIGHT:ADAPTING MALWARE TO ANTI-DETECTION BASED ON GAN - Zhuan...WEAPONS FOR DOG FIGHT:ADAPTING MALWARE TO ANTI-DETECTION BASED ON GAN - Zhuan...
WEAPONS FOR DOG FIGHT:ADAPTING MALWARE TO ANTI-DETECTION BASED ON GAN - Zhuan...
 
Hardware Trojan Attacks on Neural Networks - Joseph Clements - DEF CON 26 CAA...
Hardware Trojan Attacks on Neural Networks - Joseph Clements - DEF CON 26 CAA...Hardware Trojan Attacks on Neural Networks - Joseph Clements - DEF CON 26 CAA...
Hardware Trojan Attacks on Neural Networks - Joseph Clements - DEF CON 26 CAA...
 
Bo Li-they’ve created images that reliably fool neural network
Bo Li-they’ve created images that reliably fool neural networkBo Li-they’ve created images that reliably fool neural network
Bo Li-they’ve created images that reliably fool neural network
 
Alexey kurakin-what's new in adversarial machine learning
Alexey kurakin-what's new in adversarial machine learningAlexey kurakin-what's new in adversarial machine learning
Alexey kurakin-what's new in adversarial machine learning
 

Kürzlich hochgeladen

美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作
美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作
美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作ss846v0c
 
Dubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
Dubai Call Girls O525547819 Spring Break Fast Call Girls DubaiDubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
Dubai Call Girls O525547819 Spring Break Fast Call Girls Dubaikojalkojal131
 
Kwin - Trang Tải App Game Kwin68 Club Chính Thức
Kwin - Trang Tải App Game Kwin68 Club Chính ThứcKwin - Trang Tải App Game Kwin68 Club Chính Thức
Kwin - Trang Tải App Game Kwin68 Club Chính ThứcKwin68 Club
 
RBS学位证,鹿特丹商学院毕业证书1:1制作
RBS学位证,鹿特丹商学院毕业证书1:1制作RBS学位证,鹿特丹商学院毕业证书1:1制作
RBS学位证,鹿特丹商学院毕业证书1:1制作f3774p8b
 
Uae-NO1 Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi Addres...
Uae-NO1 Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi Addres...Uae-NO1 Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi Addres...
Uae-NO1 Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi Addres...Amil baba
 
NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...Amil Baba Dawood bangali
 
AIMA_ch3_L2-complement.ppt kjekfkjekjfkjefkjefkjek
AIMA_ch3_L2-complement.ppt kjekfkjekjfkjefkjefkjekAIMA_ch3_L2-complement.ppt kjekfkjekjfkjefkjefkjek
AIMA_ch3_L2-complement.ppt kjekfkjekjfkjefkjefkjekpavan402055
 
Computer Organization and Architecture 10th - William Stallings, Ch01.pdf
Computer Organization and Architecture 10th - William Stallings, Ch01.pdfComputer Organization and Architecture 10th - William Stallings, Ch01.pdf
Computer Organization and Architecture 10th - William Stallings, Ch01.pdfShahdAbdElsamea2
 
澳洲Deakin学位证,迪肯大学毕业证书1:1制作
澳洲Deakin学位证,迪肯大学毕业证书1:1制作澳洲Deakin学位证,迪肯大学毕业证书1:1制作
澳洲Deakin学位证,迪肯大学毕业证书1:1制作rpb5qxou
 

Kürzlich hochgeladen (9)

美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作
美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作
美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作
 
Dubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
Dubai Call Girls O525547819 Spring Break Fast Call Girls DubaiDubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
Dubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
 
Kwin - Trang Tải App Game Kwin68 Club Chính Thức
Kwin - Trang Tải App Game Kwin68 Club Chính ThứcKwin - Trang Tải App Game Kwin68 Club Chính Thức
Kwin - Trang Tải App Game Kwin68 Club Chính Thức
 
RBS学位证,鹿特丹商学院毕业证书1:1制作
RBS学位证,鹿特丹商学院毕业证书1:1制作RBS学位证,鹿特丹商学院毕业证书1:1制作
RBS学位证,鹿特丹商学院毕业证书1:1制作
 
Uae-NO1 Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi Addres...
Uae-NO1 Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi Addres...Uae-NO1 Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi Addres...
Uae-NO1 Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi Addres...
 
NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...
 
AIMA_ch3_L2-complement.ppt kjekfkjekjfkjefkjefkjek
AIMA_ch3_L2-complement.ppt kjekfkjekjfkjefkjefkjekAIMA_ch3_L2-complement.ppt kjekfkjekjfkjefkjefkjek
AIMA_ch3_L2-complement.ppt kjekfkjekjfkjefkjefkjek
 
Computer Organization and Architecture 10th - William Stallings, Ch01.pdf
Computer Organization and Architecture 10th - William Stallings, Ch01.pdfComputer Organization and Architecture 10th - William Stallings, Ch01.pdf
Computer Organization and Architecture 10th - William Stallings, Ch01.pdf
 
澳洲Deakin学位证,迪肯大学毕业证书1:1制作
澳洲Deakin学位证,迪肯大学毕业证书1:1制作澳洲Deakin学位证,迪肯大学毕业证书1:1制作
澳洲Deakin学位证,迪肯大学毕业证书1:1制作
 

Huiming Liu-'resident evil' of smart phones--wombie attack

  • 1. "Resident Evil" of SmartPhones--Wombie Attack Huiming Liu Tencent Xuanwu Lab
  • 7. Technique Details 1.Firmware Patch 2.Wireless Zombie Implementation 3.Conclusion
  • 8. Patch Firware? Why? • In a word, Launch Karma attack on a smartphone • Karma Attack • If you have ever connected to a WiFi, Your devices will frequently send probe request to find it. • Many devices will automatically connect if get correct responses, which is very easy to forge when the devices send directed probes. • Then, the devices may become MITM victims • How about on Latest smartphones?
  • 9. Karma Attack! But on Android? • Latest Android Versions won’t send directed probe normally • However • All of them will send BROADCAST probe…we can use SSID dictionary to launch Karma Attack. • Add a network manually will STILL send directed probe • Some ROMs will send directed probe MISTAKENLY • How about being an attacker • WiFi chip on the SmartPhones can be both in STA and AP mode • SmartPhones are essentially mobile and of massive amount • If we can make the victim attack and infect another victim. The situation will be much worse
  • 10. Patch Firware to Make phone infectious – How? • Reverse Engineering the firmware • Patch Probe Request Handler • Patch Association Request Handler
  • 11. Patch Probe Request in the UCODE? NOT GOOD!
  • 12. Instead, Forward Probe Request to Firmware Layer and Response! • Patch 1 line in UCODE to forward to firmware • hook sub_19610E • Call wlc_bcn_prb_template to generate template • Modify dst mac and ssid
  • 13. Patch Association Request Handler (Nexus 5) -- How?
  • 14. Patch Association Request Handler (Nexus 6p) -- How? • All required Information Elements’ parse function pointers are stored in an array dynamically created in Firmware(RAM) • Information Element SSID’s parse function is implemented in ROM (Hard to Modify) • So, we choose to modify the firmware instead of the ROM • hook a function(sub_1B03AC) in Firmware • Implement a SSID’s parse function • Replace its original parse function pointer with our new function pointer • Nexmon • C-based Firmware Patching Framework for Broadcom/Cypress WiFi Chips that enables Monitor Mode, Frame Injection and much more
  • 16. Wombie Attack Process • Step1: Launch Karma attack to MITM other phones. • Step2: Get RCE by exploiting the vulnerabilities in the victims’ smartphones • Step3: Get Root Access and modify the firmware and set attack environment. • Step4: The victim infects another victim
  • 17. What’s Inside Wireless Zombie? • 1. Background AP • 2. MITM module • 3. Exploit and Environment Setup module Background AP Traffic Hijack Module Exploit Payloads
  • 18. • Google’s Latest data (OCT 2017): • Android version <=5.x 50% • Latest Android Release Version 0.2% • Version <= 4.x 22.3% How to get RCE/ROOT? Android Fragmentation!
  • 19. Impact • Invisible Attack: • Doesn't rely on Internet to spread, so we can't detect it on the internet • Magnifier: • Easier to exploit & more severe consequences
  • 20. Combined with Krack(ATTACK WPA2)? • Krack attack’s preconditions can be satisfied within our attack model. • Preconditions • Clone original wifi to a different channel • Monitor, block and send specific message • The way we can make it in our model • Nexmon to Intercept Packets. (OK) • Like running tcpdump in monitor mode and airbase-ng in the same time. (OK) • But the Exploit Scripts are not released now • Krack attack to WPA2 can be combined with our karma attack to launch and spread more easily
  • 21. Conclusion • 1. Karma attack to smartphone is very dangerous due to android fragmentation and the smartphone’s mobility. • 2. To defend against this attack model, we must working with system security, wireless security, hardware security • 3. There’s no absolute security. Apart from the vendor’s effort, the users also need to pay more attention.